Incident Response, Network Security, TDR, Vulnerability Management

Audit uncovers flaws in U.S.’s ‘EINSTEIN’ cybersecurity program

A new report from the U.S. Government Accountability Office (GAO) exposed multiple perceived flaws in the current state of the Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS), otherwise known as EINSTEIN.

The GAO cited several inadequacies in the NCPS, which first launched in 2003 to patrol network traffic flowing to and from federal agencies. The system, which is expected to cost about $5.7 billion through 2018, is built on four pillars: intrusion detection, intrusion prevention, analytics and information sharing. After conducting an audit between June 2014 and January 2016, the GAO found several of these components in need of improvement. “Until NCPS's intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity related support to federal agencies,” the report concluded.

For instance, while Einstein's intrusion detection system is effective at identifying malicious traffic that possesses the same telltale digital signatures as previous attacks, it lacks the ability to detect zero-day attacks that do not bear the hallmarks of previous incursions, the report explains. For that, Einstein would need to utilize more advanced detection methodologies that look for anomalous network activity that deviates from a pre-established baseline of behavior.

The report also notes that the NCPS does not currently monitor all types of network traffic for embedded threats, nor is its list of malicious signatures as comprehensive as it should be.

Mark Weatherford, chief cybersecurity strategist at vArmour and former deputy undersecretary for cybersecurity at DHS, refuted this particular critique to “It really is an issue of unmanaged expectations,” said Weatherford, explaining that from its inception EINSTEIN was only supposed to employ signature-based threat detection. “So it's a little bit of a misinterpretation of the technology to think that EINSTEIN should detect zero days.”

But in the context of today's threat climate, should EINSTEIN's detection capabilities be more versatile? “I think that's debatable, but I go back to what I've always said—it [EINSTEIN] was always going to be one arrow in the quiver of security tools” the government is employing to combat cyberattacks, Weatherford added.

Other salient critiques in GAO's report:

  • DHS lacks metrics for ascertaining the effectiveness of EINSTEIN's intrusion detection and prevention capabilities.
  • Einstein's intrusion prevention mechanisms are able to disrupt some forms of malicious traffic, such as emails, but do not address malicious content within web traffic. (DHS plans to deliver this capability in 2016.)
  • Most of the planned functionality for NCPS's information sharing capabilities has yet to be developed. Moreover, agencies using EINSTEIN have differed on the usefulness of such intelligence.

DHS Secretary Jeh Johnson responded to the report with his own statement in defense of the NCPS program, touting the accelerated rollout of EINSTEIN's latest phase (E3A), designed to actively block cyberattacks instead of just detecting them. “A year ago, EINSTEIN 3A protected only about 20 percent of the government,” Johnson said in the statement. “At present, EINSTEIN 3A is in fact protecting 50 percent of the government and is now available to 100 percent of the government. And, to date, EINSTEIN 3A has blocked over 700,000 cyberthreats.”

Johnson did acknowledge that the EINSTEIN system is “not a silver bullet. It does not stop all attacks, nor is it intended to do so. It is part of a broader array of defenses.”

Weatherford said some of the criticism leveled in the report may—or may not—be due to a flawed audit process where the evaluators were not privy to certain technological insights. “We're talking about something very sophisticated, very technical. To do an audit of something so complicated, you need to have the rights skills for that,” said Weatherford. “I have been, both on the private sector side and the government side, the subject of an audit and they just don't always get it right.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.